Protecting Your Privacy in Safari for OS X El Capitan

Every time you visit a website you are sharing information about yourself with the outside world. This article runs through a number of methods you can use to gain more control over what gets shared, and who it gets shared with, whenever you use Apple's Safari browser to access the web on a Mac.

It also covers methods you can use to prevent traces of your browsing history from showing up on your computer. While you may trust friends and family not to go searching through your web history, it's possible for them to unintentionally discover what you've been looking at, just by using Safari or performing an innocent search on your Mac. If you're interested in a similar overview covering Safari on iOS, check out this guide.

This guide assumes you are using the latest public release of OS X El Capitan (10.11.6 as of initial writing), which you can check by clicking the  symbol in the menu bar at the top left of your screen and selecting "About This Mac". The version number appears beneath the OS X version name. If you're not up to date, you can download and install the latest version of OS X via the Mac App Store located on the Dock or in the Applications folder.

Cookies, Location Services, and Tracking

Many websites attempt to store cookies and other web page data on computers used to access online content. Cookies are small data files that can include things like your IP address, operating system, web browser version, the date you last visited the site, as well as any personal information you may have provided, such as your name, email address, and any relevant preferences. This information is used to identify you when you revisit a site, so that it can offer tailored services, provide specific content, or display targeted ads.

Websites are increasingly upfront about their use of cookies – you've probably seen notices on popular sites requesting that you acknowledge their use. That's largely because EU law requires sites based within its borders to get consent from visitors to store or retrieve cookie data, and as of September 2015, Google requires that any website using its advertising products complies with the law if any of its visitors are inside the EU, regardless of where the site itself is based.

By default, Safari accepts cookies and website data only from websites you visit, and attempts to block third-party cookies that try to target you with ads or create a profile of your online activities. If you don't like the idea of being tracked at all, you can selectively block the use of cookies by following the steps below. Note however that some pages might not work unless you allow the use of cookies, so if you run into login problems or other issues on familiar sites after adjusting these settings, then you might want to dial back the changes.

Additionally, you may have noticed how Safari asks if you want to share your location whenever you visit a geolocation-enabled website. If you don't expect the site to provide helpful location-based services such as regional weather information or local amenities, you can deny the request and continue to do so like this on a case-by-case basis. Alternatively, you can change Safari's behavior whenever it encounters such a site, as described in the following steps.

Lastly, Do Not Track is a feature you can enable to prevent websites from tracking your site visits across the web. With the feature turned on, Safari specifically asks sites and their third party content providers (including advertisers) not to track you. In reality, it's up to the website to honor this request, but it's an option worth enabling for a potential extra layer of privacy.

Here's how to change Safari settings for cookies, location services, and tracking:

Select how Safari should deal with cookies and website data by clicking on the relevant button. Your options are: Always block, Allow from current website only, Allow from websites I visit (the default setting), and Always allow.

This tab also lets you check any existing website data stored in your browser cache. You can get more information on it, as well as remove data for individual websites, by clicking the "Details..." button.

To remove all data completely, press the button on the Privacy tab labeled "Remove All Website Data..." and confirm with "Remove Now", or click "Remove All" from within the "Details..." dialog.

In the section labeled "Website use of location services", choose from: Prompt for each website once each day; Prompt for each website one time only; and Deny without prompting.

To enable the Do Not Track feature, check the box at the bottom of the Privacy tab next to "Ask websites not to track me".

Enable Private Browsing

By enabling Private Browsing, you can prevent Safari from remembering the pages you visit and any AutoFill information, while any tabs you open within a private window won't be stored in iCloud. Safari also automatically asks sites and third-party content providers not to track you, prevents sites from modifying any information stored on your Mac, and deletes cookies when you close the related tab or window.

In Safari's menu bar, select File -> New Private Window. You'll notice the Safari address bar appears dark instead of light in a private window, indicating that Safari will not cache your browsing history, store snapshots of pages you visited or save your search history, and any AutoFill information will be lost after the window (or tab) is closed.

If you want to default to private browsing, you can set Safari to open a new Private Browsing window every time the app is launched. Choose Safari -> Preferences..., click General, select the "Safari opens with" pop-up menu, then choose "A new private window".

Clear Browsing History

Safari for Mac enables you to remove all records of your browsing history including cookies and other cached website data over a specific timeframe of your choosing.

Browsing records that are cleared using the first method described below include any Top Sites not marked as permanent, your Frequently Visited Sites list, recent searches typed into the Safari search bar, web page snapshots shown in the open tab preview screen, download lists (but not downloads), sites you asked to send you notifications, and sites supporting Quick Website Search (the ability to search within specific sites from the Safari search bar).

Note that this method also clears history and web data from any devices logged into the same iCloud account.

To clear all history including cached website data and cookies, select Safari -> Clear History... from the Safari menu bar.

In the dialog window that appears, select the timeframe that you'd like to clear from the dropdown menu. Your options are: the last hour, today, today and yesterday, and all history. Click "Clear History" to confirm.

If you want to clear your history but keep cached website data and cookies, hold the Alt/Option key on your keyboard during step 1 above, and the "Clear History..." menu option will change to "Clear History and Keep Website Data". Choose this description instead and continue on to select your clearance timeframe.

If you only want to remove specific websites from your history, ignore the steps above and instead click "History" in the Safari menu bar, select "Show History", right-click a site in the list, and then select "Remove" from the contextual menu.

In the Search Results tab, uncheck the box next to "Bookmarks & History" (and "Bing Web Searches", if this is your default search engine).

Switch Search Engine and Disable Safari Suggestions

Just because you cleared your browsing history and web data in Safari or browsed in a Private window, doesn't mean your searches aren't still recorded elsewhere. For example, if you logged into a Google account during the session, searches you performed may be logged by Google and later show up as search suggestions when you start typing in the Google search bar in the same account. In fact, your search and ad results may be customized based on your search-related activity, even if you're signed out of your account.

To get around this issue, either consult the privacy help page of your preferred search engine to learn how to turn off tracking settings, or set a non-tracking search engine such as StartPage as your home page (using the General tab in Safari -> Preferences...). The next series of steps shows you how to set up Safari to use the non-tracking search engine DuckDuckGo when you type search queries into the address bar.

Another thing to reconsider is your use of Safari Suggestions. With this option enabled, your search queries, the Safari Suggestions you select, and related usage data are sent to Apple. Additionally, if you have Location Services turned on, when you make a search query in Safari with Safari Suggestions enabled your location is also sent to Apple. If you don't want this information shared, turn off Safari Suggestions as shown below.

From the Safari menu bar, select Safari -> Preferences..., and click on the Search tab.

Select the DuckDuckGo search engine from the dropdown menu. You can also choose whether you want search engine suggestions appearing in the Safari search bar using the checkbox immediately below.

Uncheck the box next to "Include Safari Suggestions" in the Smart Search Field options; you can also disable the Quick Website Search function if you prefer by using the checkbox below.

Disable Frequently Visited Sites

By default, Frequently Visited Sites appear below your Favorites whenever you open a new tab or a new Safari window. You can turn this feature off.

There are two ways to prevent frequently visited sites from appearing in new tabs and windows. The simplest way is to click Bookmarks in the Safari menu bar and untick "Show Frequently Visited in Favorites". The second method described below prevents Favorites from appearing in new tabs and windows altogether, but removes the option to display your Top Sites as well.

From the Safari menu bar, select Safari -> Preferences..., and select the General tab.

In the dropdown menus for "New windows open with:" and "New tabs open with:", select an option other than Favorites, such as "Empty Page".

Turn Off AutoFill

Safari's AutoFill feature remembers text and values you enter into online forms, and can be useful for speeding up logins and registrations as well as online purchases. If other people use your Mac, you might not want this information to show up when websites are revisited. Here's how to disable AutoFill.

In the Safari menu bar, select Safari -> Preferences... and click on the AutoFill tab.

Uncheck the boxes next to the details you wish to prevent Safari from autocompleting in web forms. You can also edit already saved information by clicking the "Edit..." buttons.

Finally...

If your web privacy concerns extend to a desire for enhanced security and comprehensive end-to-end encryption, consider subscribing to a Virtual Private Network (VPN) service (Private Internet Access and IPVanish are two popular choices) and using Tor browser for OS X.

Top Rated Comments

I got tired of managing tracking cookies (yes, they DO get set even with "do not track" activated!) with an external app named Cookie. Deleting cookies also removes useful cookies like logins.

Do not track is nothing more than a signal that your browser sends along. Whether websites honour this setting is up to them and most do not even pay attention to it.

What is so tiring about Cookie though? You set it up once and mark your favourite websites. Cookie takes care of the rest and deletes all non-favourites and tracking cookies automatically. It even gets rid of Flash and Silverlight cookies.

The problem with cookies is that websites can detect if you are blocking cookies or not. It is thus better to let them set cookies and just remove them periodically.
[doublepost=1470423198][/doublepost]

There is no such thing as privacy any longer if you are connected to the web. You can practice safer browsing techniques but if you are connected and chose a digital life you are volnerable.

That depends on your definition of privacy as well as the persons you want to protect yourself against. It is certainly impossible to shield yourself completely, but it is relatively easy to keep certain groups out.

There is no such thing as privacy any longer if you are connected to the web. You can practice safer browsing techniques but if you are connected and chose a digital life you are volnerable.

Yea, for the most part, unless you have a clean everything through a VPN... then you're pretty safe if the VPN provider isn't compromised.

But, the more of these kind of techniques you implement, the more work it makes to track everything related to you. Or, at least it keeps you a bit anonymous from provider to provider. The gov't is a whole other matter (and, unfortunately, the biggest threat).

I got tired of managing tracking cookies (yes, they DO get set even with "do not track" activated!) with an external app named Cookie. Deleting cookies also removes useful cookies like logins.

Yea, that's the problem. Cookies are generally a good thing, they can just be used to track things beyond what a person might want. Managing them is more trouble than it's worth, I'd think.

The other issue is that someone like the gov't could aggregate info across providers, so even a VPN won't do much good with modern OSs. Since modern OSs constantly log into various accounts from various apps, even when you're connected to a VPN, it would be quite easy to connect an IP at point in time, with a person.

Yea, for the most part, unless you have a clean everything through a VPN... then you're pretty safe if the VPN provider isn't compromised.

Thanks MR for posting this. I welcome more such articles since informed users are the best safe guard for privacy and security.

Nowadays, a VPN will not make you very anonymous. Only enough to protect your anonymity against the bottom feeders (that don't have state-level resources and freedoms) in the global PII-market . E.g. commercial companies such as the content industry who hunt Bill 16 yrs for sharing a movie.

One of the reasons is that the combination of meta data that every browser shares when connecting to a web-server is unique. Go to EFF Panopticklick ('https://panopticlick.eff.org') and test your browser. Based on this profiling can be made (and is made) by actors having the necessary resources.

Still, I don't connect to internet without using a VPN that gives a basic privacy protection.

Point is that education, knowledge and proper acting is something that will increase users security and privacy many times more than installing an AV then forget about it.

One very simple principle for concerned users is to stop using services from companies that hord your PII (Personally Identifiable Information) for commercial purposes, i.e. where their business model is to make money off your PII. E.g. the entire social-media industry as well as Google (the big one) and Microsoft, who with W10 joined the same business model as well, even for enterprise ('http://www.theregister.co.uk/2016/08/04/microsoft_adds_enterprise_products_to_its_privacy_policy/').

With the current development users have at one point to decide whether the cost (you, your person, your privacy, your life basically) is worth in exchange for taking part in the connectivity internet offers.

Nowadays, a VPN will not make you very anonymous. Only enough to protect your anonymity against the bottom feeders (that don't have state-level resources and freedoms) in the global PII-market ...

One of the reasons is that the combination of meta data that every browser shares when connecting to a web-server is unique. Go to EFF Panopticklick ('https://panopticlick.eff.org') and test your browser. Based on this profiling can be made (and is made) by actors having the necessary resources.

No doubt.... if the Feds come after you, you're pretty much screwed. I guess I was thinking of a form of profiling to someone who had data across services. But, I'd forgotten about machine-build profiling and such. Macs are probably a bit more secure (i.e.: less unique) in that regard, but once you combine stuff like software, plugins, and fonts installed, there's a pretty big heap of circumstantial evidence there.

Meanwhile Windows 10 just sends all of your keystrokes to Microsoft/the NSA

Heh, yea. We're talking about many levels/layers of privacy here. If the NSA is after you, you'd best stay off the 'Net. But, that said, why make things any easier for any of these folks... site-owner/advertiser to gov't agency? Most end up going after the low-hanging fruit, unless you're specifically targeted.

MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.